freeradius with multiple ldap servers

Sambuddho Chakravarty sc2516 at columbia.edu
Thu Jul 3 00:20:11 CEST 2008 

Hello  
 I think I know what the problem is. The radius server is looking up
using cleartext password , while the LDAP data base stores the hashed
passwords. How can I force the radiuse server to search for the password
as a hashed value (rather than searching for the clear-text value) ?

Thanks
Sambuddho
On Wed, 2008-07-02 at 17:09 -0400, Sambuddho Chakravarty wrote:
> Hello Alan
>   I made sure this time that rlm_ldap was compiled. Now the following is
> the configuration
> 
> ------/etc/raddb/modules/ldap-----------
> 
> ldap ldap1 {
> 	server = "a.b.c.d"
> 	...
> 	}
> 
> ldap ldap2 {
> 	server = "w.x.y.z"
> 	...
> 	}
> 
> -----/etc/raddb/radiusd.conf-----
> 
> 
> authorize {
>        ldap1
> 
>          ldap2
> 
>         }
> 
>    authenticate {
>         ldap1
>         ldap2
>         }
> 
> ------------------------------------
> 
> When I execute /sbin/radiusd -X 
> 
> It shows instantiating module ldap1 and module ldap2 
> 
> ....
>  Module: Instantiating ldap2
>   ldap ldap1 {
>         server = "a.b.c.d"
>         port = 389
> ....
>  Module: Instantiating ldap2
>   ldap ldap2 {
>         server = "w.x.y.z"
>         port = 389
> ....
> 
> When sending a radtest request using the following command (from the
> same machine as one which is running the server)
> 
> $ radtest user "secret" localhost 2 testing123
> 
> I get ACCESS-REJECT reply from the sever.
> 
> On the server the logs show something like this
> ---------------------------------------------------
> It shows binding to both LDAP servers one by one through something like
> this :
> 
> rlm_ldap: performing user authorization for catch
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>         expand: ou=People,dc=example,dc=example ->
> ou=People,dc=example,dc=example
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 30.0.0.2:389, authentication 0
> rlm_ldap: bind as / to 30.0.0.2:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> filter (uid=catch)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap1] returns notfound
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for catch
> WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
> details
>         expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=catch)
>         expand: ou=People,dc=example,dc=example ->
> ou=People,dc=example,dc=example
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 10.0.0.1:389, authentication 0
> rlm_ldap: bind as / to 10.0.0.1:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=People,dc=example,dc=example, with
> filter (uid=catch)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap2] returns notfound
> 
> auth: No authenticate method (Auth-Type) configuration found for the
> request: Rejecting the user
> auth: Failed to validate the user.
> 
> You can see it is attempting to search both databases but fails. If I
> use a simple telnet or ssh to authenticate against the LDAP server it
> logs in fine. LDAP client login against the LDAP server is otherwise
> working fine. I know I have been bothering using trivial question. But
> any help would be appreciated :-)
> 
> Thanks in advance.
> Sambuddho
> 
> 
> 
> On Tue, 2008-07-01 at 22:33 +0200, Alan DeKok wrote:
> > Sambuddho Chakravarty wrote:
> > >  This is exactly what I did . I forgot to put the separate module names
> > 
> >   The consistent problems you see make me think that the issue is more
> > than "forgot".
> > 
> > > And now when I try to start the server this is what the error I see :
> > > 
> > > 
> > > server {
> > >  modules {
> > >  Module: Checking authenticate {...} for more modules to load
> > > //etc/raddb/modules/ldap1[29]: Failed to link to module 'rlm_ldap':
> > 
> >   So.... was that module built?  Apparently not...
> > 
> > > When trying with a single server ,it matches the radius request against
> > > rlm_pap and not rlm_ldap. I am confused. 
> > 
> >   Perhaps reading the debug output (and that of "configure" and "make")
> > would help.
> > 
> >   Alan DeKok.
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list